Contents

Background

Each modem/router sold by NCF has a built-in web server to allow the modem to be configured by any computer via any browser.

In December 2014 Carnegie Mellon University CERTannounced that some DSL modems/routers have a vulnerability that have existed in the firmware since 2002. This security problem has been detected in the firmware that uses vulnerable versions of Allegro RomPager in the web server portion of the firmware employed by many modems/routers, including some of those sold by NCF.

Vulnerability

The security vulnerability can be fixed in recent modems/routers by upgrading the firmware, replacing the web server with a newer version that does not have the security vulnerability.

Older modems do not have a firmware upgrade available, so it is important to make full use of the available security to prevent outsiders from using the web server to re-configure the modem in some undesirable way.

It is possible to access the web server in two different ways:

Connect to the web server from the outside, via the DSL line (WAN side). This route is closed if you are using a modem/router that has been configured by NCF

Connect to the web server from the inside (LAN side), either via your wireless or via an Ethernet cable. You are not going to let some unknown person connect by Ethernet, but you also need to prevent them from connecting to it wirelessly. It is therefore very important that you have good security on your wireless network, with a good password. If the modem/router has been configured by NCF, it will have a good password (by default, NCF uses your NCF DSL password also for log-in and Wi-Fi).

As a general rule, if you modem/router has been configured by NCF, and you are sure that unknown persons cannot use your wireless connection, you have pretty good security against the "Misfortune Cookie" vulnerability.

Fixes

NCF has looked into this vulnerability and recommends the following steps:

If your modem/router is in the level identified by TP-Link as upgradable, please ensure that you update the firmware, either yourself or by contacting NCF and arranging for the update to be done for you. You'll need to bring the modem/router with its power supply to NCF. No need to bring any cables (we have those).

If your modem/router is not upgradable, NCF highly recommends that you procure a newer modem/router, either from NCF or from a trusted store.

Carnegie Mellon University CERT also suggests that units that do not have new firmware available can have their firmware replaced with dd-wrt, openwrt, or others. NCF members can do this themselves at their own risk.

Regardless of the above, the following two TP-Link articles describe recommend safe practices:

NCF started verifying this on all modems since July/August 2014. NCF also checked that Remote Management port is disabled. See this TP-Link article for further step-by-step instructions.

Any LAN vulnerability is blocked from the LAN by using a strong Wi-Fi password (NCF applies the DSL password here). If your Wi-Fi is open (no password is required to connect, like in many public places), then your modem is open to attack. We strongly advise that you implement Authentication Type: WPA-PSK/WPA2-PSK with Encryption: TKIP/AES to secure your Wi-Fi network with the highest available settings